added/new functionality?

ccoupal at justice.gov.sk.ca ccoupal at justice.gov.sk.ca
Thu Mar 9 14:52:06 GMT 2000


I was thinking if this is not yet available, this could be marked as future
functionality. I think there could be a way around it. I could see it
working like this:
1)	The client attempts to connect to Samba, passing the
username/password pair.
2)	Samba authenticates the username/password pair with the NT Domain
3)	Samba retrieves the user's NT group information (not sure, but I
think this may require Samba logging on to the NT Domain as the user to
retrieve the user's permission token (which is basically the list of groups)
4)	Samba compares the list of groups retrieved from the NT Domain using
the username/pair to a mapping file which maps NT groups to Samba/Unix users
(1 to 1)
5)	Samba performs all file IO as the mapped account specified by the
mapping file
Your last statement sound like what I would like to do, but I'm a little shy
of having the info required to implement such a solution (so it works the
way I would like). My Samba box is a domain member, and does use a PDB for
authentication. The problem we had with mapping many NT users to few
Samba/Unix accounts (we found) was the password the NT users would have to
pass to Samba would be the password expected for the Unix account. This
means many NT users would have to have the same password!! I might as well
implement share level security... :-)
Later,
Chris

-----Original Message-----
From:	Kevin Colby [SMTP:kevinc at grainsystems.com]
Sent:	Wednesday, March 08, 2000 7:17 PM
To:	ccoupal at justice.gov.sk.ca
Subject:	Re: added/new functionality?

ccoupal at justice.gov.sk.ca <mailto:ccoupal at justice.gov.sk.ca>  wrote:
	> 
	> I am looking to reduce the overhead of managing UNIX groups and
UNIX users,
	> so your solution doesn't really help. The groups and users already
exist on
	> the NT domain, so why do I have to create the user accounts and
the groups
	> over again on the unix machine?

Unfortunately, the existence of NT groups means nothing to the Unix file
system.  Samba run on top of it, not as part of it, so Samba _must_ map all
NT user/group settings to Unix UID/GID before any file I/O is done.  There
is no way around it.
	> I want to, on connection, eval the connecting user's NT groups
(get them
	> from the PDC/BDC) and based on the user's group membership, map
the user to
	> one of the few defined Samba/Unix accounts for all file IO
operations
	> (through a map file?)

This _can_ be done.  If you have the Samba box be a domain member, it will
pass on the auth info to the NT PDC.  Then, setup the user and group map
files to map several accounts (NT) to a few accounts (Unix).  Would this
suffice?


	


More information about the samba-technical mailing list